Using credentials securely in ansible inventory

Question

Using credentials securely in ansible inventory

7.8k Views Asked by ring0 At 13 May 2025 at 21:51

In order to connect to a windows host I will need to pass the credentials in an inventory file. Here's my inventory file:

[windows]
100.100.100.100

[windows:vars]
ansible_user=Adminuser
ansible_password="Mypassword"
ansible_port=5986
ansible_connection=winrm
ansible_winrm_server_cert_validation=ignore

Ansible documentation says that the credentials should be encrypted with ansible-vault. Can I use a variable file that's been encrypted using ansible-vault in my inventory file? And if so, how do I pass my ansible-vault credentials to my inventory file? I will also be using credentials in my playbook like this:

- hosts: windows
  gather_facts: no

  vars_files:
  - vars.yml

  tasks:
  - win_domain_membership:
      dns_domain_name: my.domain.com
      hostname: ansible-host
      domain_admin_user: {{ admin_user }}
      domain_admin_password: {{ passwd }}
      domain_ou_path: "OU=Windows,OU=Servers,DC=ansible,DC=com"
      state: domain
    register: domain_state

I will then use ansible-vault to encrypt my variable file for this playbook.

---
admin_user:[email protected]
passwd:mypassword

And then pass my ansible-vault credentials to my playbook at the command line:

$ ansible-playbook myplaybook.yml --ask-vault-pass

Is it possible to store both the variable file used in my inventory and the variable file used in my playbook in the same ansible-vault? That way I can pass the ansible-vault credentials for both files at the command line?

Original Q&A

There are 1 best solutions below

**larsks** · Accepted Answer

The ansible-vault command encrypts a single file. Ansible decrypts this at runtime and interprets it the same way it would if the file had been unencrypted (so you can't "store both the variable file used in my inventory and the variable file used in my playbook in the same ansible-vault" because those are two different files).

I would just remove the variable from your inventory, leaving it like this:

[windows]
100.100.100.100

And then create group_vars/windows.yml as a vaulted file with the following content (ansible-vault create groups_vars/windows.yml):

ansible_user: Adminuser
ansible_password: "Mypassword"
ansible_port: 5986
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore

Ansible will automatically apply the variables in group_vars/windows.yml when you have a play that targets the windows group.

Using credentials securely in ansible inventory

There are 1 best solutions below

Related Questions in ANSIBLE

Related Questions in ANSIBLE-VAULT

Trending Questions

Popular # Hahtags

Popular Questions